From 9903a9f9dc3f32ea1154e074f75d30a317c77746 Mon Sep 17 00:00:00 2001 From: Emanuela Epure <67077116+emanuelaepure10@users.noreply.github.com> Date: Wed, 26 Jun 2024 12:03:41 +0200 Subject: [PATCH] fix: replace broken or risky cryptographic algorithm Replace MD5 with SHA-256 because MD5 is susceptible to several vulnerabilities, including collision attacks. By switching from MD5 to SHA-256, we enhance the security of your hashing process, making it suitable for modern cryptographic applications. ING-4368 --- .../groovy/internal/PreferencesGroovyService.java | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ui/plugins/eu.esdihumboldt.hale.ui/src/eu/esdihumboldt/hale/ui/service/groovy/internal/PreferencesGroovyService.java b/ui/plugins/eu.esdihumboldt.hale.ui/src/eu/esdihumboldt/hale/ui/service/groovy/internal/PreferencesGroovyService.java index 9689fdcf92..bd5410675b 100644 --- a/ui/plugins/eu.esdihumboldt.hale.ui/src/eu/esdihumboldt/hale/ui/service/groovy/internal/PreferencesGroovyService.java +++ b/ui/plugins/eu.esdihumboldt.hale.ui/src/eu/esdihumboldt/hale/ui/service/groovy/internal/PreferencesGroovyService.java @@ -15,8 +15,8 @@ package eu.esdihumboldt.hale.ui.service.groovy.internal; -import java.io.UnsupportedEncodingException; import java.net.URI; +import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; @@ -317,9 +317,9 @@ private synchronized String getScriptHash() { // not simply using hashCode, because it would be far to easy to // modify the script in a undetectable way try { - MessageDigest md = MessageDigest.getInstance("MD5"); + MessageDigest md = MessageDigest.getInstance("SHA-256"); for (String script : scripts) - md.update(script.getBytes("UTF-8")); + md.update(script.getBytes(StandardCharsets.UTF_8)); byte[] hash = md.digest(); StringBuilder sb = new StringBuilder(2 * hash.length); for (byte b : hash) { @@ -329,9 +329,7 @@ private synchronized String getScriptHash() { // Both exceptions cannot happen in a valid Java platform. // Anyways, if they happen, execution should stop here! } catch (NoSuchAlgorithmException e) { - throw new IllegalStateException("No MD5 MessageDigest!"); - } catch (UnsupportedEncodingException e) { - throw new IllegalStateException("No UTF-8 Charset!"); + throw new IllegalStateException("No SHA-256 MessageDigest!"); } } return scriptHash;